Skip to content

feat: custom verification callback for the authorization request on the holder side for verification #2303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jun 2, 2025
Merged

feat: custom verification callback for the authorization request on the holder side for verification #2303

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
798d673
chore: custom verification callback for the authorization request on …
berendsliedrecht May 27, 2025
8eff971
docs(changeset): Added feature to add a verifyAuthorizationCallback a…
berendsliedrecht May 27, 2025
ae03ac5
tests: added better callback for verifier_attestation verification ba…
berendsliedrecht May 28, 2025
cc916d4
tests: add test for registration certificate for valid and overasking…
berendsliedrecht May 28, 2025
d4b82f9
chore: found a matching, if more meta+format match
berendsliedrecht May 28, 2025
03b0011
chore: removed eudi specific functionality
berendsliedrecht May 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions packages/openid4vc/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,10 @@
"class-transformer": "^0.5.1",
"rxjs": "^7.8.0",
"zod": "^3.24.2",
"@openid4vc/openid4vci": "0.3.0-alpha-20250511195407",
"@openid4vc/oauth2": "0.3.0-alpha-20250511195407",
"@openid4vc/openid4vp": "0.3.0-alpha-20250511195407",
"@openid4vc/utils": "0.3.0-alpha-20250511195407"
"@openid4vc/openid4vci": "0.3.0-alpha-20250527111829",
"@openid4vc/oauth2": "0.3.0-alpha-20250527111829",
"@openid4vc/openid4vp": "0.3.0-alpha-20250527111829",
"@openid4vc/utils": "0.3.0-alpha-20250527111829"
},
"devDependencies": {
"@credo-ts/tenants": "workspace:*",
Expand Down
10 changes: 10 additions & 0 deletions packages/openid4vc/src/openid4vc-holder/OpenId4vpHolderService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,16 @@ export class OpenId4VpHolderService {

const dcqlResult = dcql?.query ? await this.handleDcqlRequest(agentContext, dcql.query, transactionData) : undefined

if (options?.verifyAuthorizationRequestCallback) {
const result = await options.verifyAuthorizationRequestCallback({
authorizationRequest: verifiedAuthorizationRequest.authorizationRequestPayload,
})

if (!result) {
throw new CredoError('verificationAuthorizationCallback returned false. User-provided validation failed.')
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will swallow any errors. I think it might be better to make the inner method throw. Or we at least return the error so we can add it as cause. i think requiring the callback to throw has my preference

}

agentContext.config.logger.debug('verified Authorization Request')
agentContext.config.logger.debug(`request '${authorizationRequest}'`)

Expand Down
12 changes: 10 additions & 2 deletions packages/openid4vc/src/openid4vc-holder/OpenId4vpHolderServiceOptions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,28 @@
import type {
CanBePromise,
DcqlCredentialsForRequest,
DcqlQueryResult,
DifPexCredentialsForRequest,
DifPexInputDescriptorToCredentials,
DifPresentationExchangeDefinition,
EncodedX509Certificate,
} from '@credo-ts/core'
import { ResolvedOpenid4vpAuthorizationRequest } from '@openid4vc/openid4vp'
import type { OpenId4VpAuthorizationRequestPayload } from '../shared'
import { Openid4vpAuthorizationRequestDcApi, ResolvedOpenid4vpAuthorizationRequest } from '@openid4vc/openid4vp'
import type { OpenId4VpAuthorizationRequestPayload, Openid4vpAuthorizationRequest } from '../shared'

// TODO: export from oid4vp
export type ParsedTransactionDataEntry = NonNullable<ResolvedOpenid4vpAuthorizationRequest['transactionData']>[number]

export type VerifyAuthorizationRequestOptions = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel we're still missing relevant information from the OpenId4VpResolvedAuthorizationRequest interface here.

Also we should try to stay as consistent as possible with OpenId4VpResolvedAuthorizationRequest.

So

authorizationRequestPayload: OpenId4VpAuthorizationRequestPayload

and ideally:

  /**
   * Metadata about the signed authorization request.
   *
   * Only present if the authorization request was signed
   */
  signedAuthorizationRequest?: {
    signer: VerifiedJarRequest['signer']
    payload: VerifiedJarRequest['jwt']['payload']
    header: VerifiedJarRequest['jwt']['header']
  }

also add the origin (in case of DC-API):

  /**
   * Origin of the request, to be used with Digital Credentials API
   */
  origin?: string

Maybe we can just pass the same interface? Or do we call this before the DCQL and Presentation Exchange Queries are run? (in that case we can omit these from the interface). But i would rather not add client here if it's not also available in the resolved value.

https://github.com/openwallet-foundation/credo-ts/blob/main/packages/openid4vc/src/openid4vc-holder/OpenId4vpHolderServiceOptions.ts#L22

authorizationRequest: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi
}

export type VerifyAuthorizationRequestCallback = (options: VerifyAuthorizationRequestOptions) => CanBePromise<boolean>

export interface ResolveOpenId4VpAuthorizationRequestOptions {
trustedCertificates?: EncodedX509Certificate[]
origin?: string
verifyAuthorizationRequestCallback?: VerifyAuthorizationRequestCallback
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Soo looking at it like this, what does the callback provide over just doing

  • resolve
  • call custom callback method

The callback just adds another layer of indirection.

For the verifier side the callback makes more sense since we automatically send a http response (and you might want to block it).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also thinking whether the name of the callback may mislead into thinking it will override the verification (which it doesn't).

To continue on my previous comment. The input to the verify is just the authorization request, which is not always the full context (which you get returned from the method). So I'd actually lean to not merge this, and just call our custom callback after calling the credo resolve method

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It enforces it slightly more, the callback is optional so it is not enforced strictly. The API will be extended before merging to get more values next to the authorizationRequest in the callback. I just need to find out everything that is required or can be nice to have in the verification context.

}

type VerifiedJarRequest = NonNullable<ResolvedOpenid4vpAuthorizationRequest['jar']>
Expand Down
87 changes: 87 additions & 0 deletions packages/openid4vc/tests/openid4vc.e2e.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,6 +353,93 @@ describe('OpenId4Vc', () => {
clearNock()
})

it('e2e flow with tenants, holder verification callback for authorization request fails', async () => {
const holderTenant = await holder.agent.modules.tenants.getTenantAgent({ tenantId: holder1.tenantId })
const verifierTenant1 = await verifier.agent.modules.tenants.getTenantAgent({ tenantId: verifier1.tenantId })
const verifierTenant2 = await verifier.agent.modules.tenants.getTenantAgent({ tenantId: verifier2.tenantId })

const openIdVerifierTenant1 = await verifierTenant1.modules.openId4VcVerifier.createVerifier()
const openIdVerifierTenant2 = await verifierTenant2.modules.openId4VcVerifier.createVerifier()

const signedCredential1 = await issuer.agent.w3cCredentials.signCredential({
format: ClaimFormat.JwtVc,
credential: new W3cCredential({
type: ['VerifiableCredential', 'OpenBadgeCredential'],
issuer: new W3cIssuer({ id: issuer.did }),
credentialSubject: new W3cCredentialSubject({ id: holder1.did }),
issuanceDate: w3cDate(Date.now()),
}),
alg: Kms.KnownJwaSignatureAlgorithms.EdDSA,
verificationMethod: issuer.verificationMethod.id,
})

const signedCredential2 = await issuer.agent.w3cCredentials.signCredential({
format: ClaimFormat.JwtVc,
credential: new W3cCredential({
type: ['VerifiableCredential', 'UniversityDegreeCredential'],
issuer: new W3cIssuer({ id: issuer.did }),
credentialSubject: new W3cCredentialSubject({ id: holder1.did }),
issuanceDate: w3cDate(Date.now()),
}),
alg: Kms.KnownJwaSignatureAlgorithms.EdDSA,
verificationMethod: issuer.verificationMethod.id,
})

await holderTenant.w3cCredentials.storeCredential({ credential: signedCredential1 })
await holderTenant.w3cCredentials.storeCredential({ credential: signedCredential2 })

const { authorizationRequest: authorizationRequestUri1, verificationSession: verificationSession1 } =
await verifierTenant1.modules.openId4VcVerifier.createAuthorizationRequest({
verifierId: openIdVerifierTenant1.verifierId,
requestSigner: {
method: 'did',
didUrl: verifier1.verificationMethod.id,
},
presentationExchange: {
definition: openBadgePresentationDefinition,
},
})

expect(authorizationRequestUri1).toEqual(
`openid4vp://?client_id=${encodeURIComponent(verifier1.did)}&request_uri=${encodeURIComponent(
verificationSession1.authorizationRequestUri as string
)}`
)

const { authorizationRequest: authorizationRequestUri2, verificationSession: verificationSession2 } =
await verifierTenant2.modules.openId4VcVerifier.createAuthorizationRequest({
requestSigner: {
method: 'did',
didUrl: verifier2.verificationMethod.id,
},
presentationExchange: {
definition: universityDegreePresentationDefinition,
},
verifierId: openIdVerifierTenant2.verifierId,
})

expect(authorizationRequestUri2).toEqual(
`openid4vp://?client_id=${encodeURIComponent(verifier2.did)}&request_uri=${encodeURIComponent(
verificationSession2.authorizationRequestUri as string
)}`
)

await verifierTenant1.endSession()
await verifierTenant2.endSession()

await expect(
holderTenant.modules.openId4VcHolder.resolveOpenId4VpAuthorizationRequest(authorizationRequestUri1, {
verifyAuthorizationRequestCallback: () => false,
})
).rejects.toThrow()

await expect(
holderTenant.modules.openId4VcHolder.resolveOpenId4VpAuthorizationRequest(authorizationRequestUri1, {
verifyAuthorizationRequestCallback: () => true,
})
).resolves.toBeDefined()
})

it('e2e flow with tenants, verifier endpoints verifying a jwt-vc', async () => {
const holderTenant = await holder.agent.modules.tenants.getTenantAgent({ tenantId: holder1.tenantId })
const verifierTenant1 = await verifier.agent.modules.tenants.getTenantAgent({ tenantId: verifier1.tenantId })
Expand Down
50 changes: 25 additions & 25 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading